DAWN Ontario: DisAbled Women's Network Ontario

Technology Info, Tips, FAQs
You Can Use

Virus Information

Guide To Computer Viruses

What is a computer virus
What is a virus (and what are trojans and worms)
How do viruses work
How do viruses spread
How can I avoid infection
How does antivirus software work


What is malware -- viruses, trojans, worms and the like?

Below are three informative descriptions.

The first is a great link from Computer Viruses Simplified to a page defining malware using a user-friendly Venn diagram and a chatty wizard.

The second is a fairly concise excerpt from the University of Waterloo and the third provides more in-depth information about malware from alt.comp.virus.faq. Both excerpts are posted here with the permission of their administrators.

 

Source: University of Waterloo

The University of Waterloo (Ontario, Canada) has a great Guide to Computer Viruses from which the following has been excerpted (with permission).

What is a computer virus?

A computer virus is a self-replicating program, written intentionally to alter the way your computer operates without your knowledge or permission. Computer viruses are designed to attach themselves to other program files, and become activated when those programs are run. While active, a virus replicates by copying itself to other programs on any available disk.

Viruses exist in two forms

  1. Active in your computer's memory.
    Some computer viruses damage the data on your disks by corrupting programs, deleting files, or even reformatting the disk. Just like the effects of biological viruses, effects of computer viruses may be undetectable for days or weeks. Some viruses are timed to cause their damage at certain hours of the day or on certain dates. Before a virus does any noticeable damage to your system, an infected hard disk can infect disks you insert into your computer's floppy disk drive. Once infected, those floppy disks can infect other computers that read it.


    2.
  2. Lying dormant in files and boot records.
    Thus the infection can spread before any damage is done. Turning off the computer removes viruses from the memory, but not from disks or files that have been infected. The next time you use your computer, the virus is activated again and attaches itself to more programs.

Macro viruses

Macros are computer programs that are easily created to repeat a series of actions you do frequently using applications like Microsoft Word. Rather than repeating the actions over and over, these applications can record the actions as a "macro," and rerun the macro whenever you want.

Macro viruses are written to infect files you create with applications that support macros. These viruses can be inadvertently spread to any file you subsequently save using those applications because, in applications like Microsoft Word, you can have a macro run automatically whenever Word is started.

Other types of viruses

Please be aware that sometimes information about a virus is a hoax. Some examples of virus hoaxes are: AFP, AOL4FREE, Deeyenda, Eyes, Free Money, Ghost, Good Times, Hackingburgh, Irina, Join the Crew, Kiss of Death, Mpeg, PenPal Greetings, PKZ300, Russia Virus 666, Sheep and Win a Holiday.

These so-called viruses are usually circulated by email amongst offices, homes and the Internet saying something like "FWD: PASS THIS LETTER, I WANT TO WARN YOU ABOUT A VIRUS!" The irony of these messages is that the "virus" is the email you're passing. By spreading the email around and getting a good feeling inside thinking "all my friends are safe now that I've sent this email," you're inadvertently spreading the creator's virtual virus, which does nothing more than clog the system with all of these email warnings. Be careful to check whether or not these viruses are really being circulated.

If you hear something about an email virus you should know that email itself does not carry a virus; however, an attachment might. You might receive an infected Word document, Excel spreadsheet, or other application. The only way an email virus might be considered a virus is when hundreds of people flood the Internet with messages about it. Please no not forward email messages about non-existent viruses as this will only help circulate the myth further.

More about computer viruses

The computer virus has a three-stage life cycle: infection, detection and recovery. In the infection stage, a virus infects a file in your computer. These infections come from a variety of sources:

  • Reused floppy disks from unknown sources
  • Floppy disks from home, school, or friends
  • Programs downloaded from the Internet or a BBS
  • Opened, re-shrinkwrapped, or pirated software
  • Preformatted floppy disks

Viruses can:

  • Infect program files used for word processing, spreadsheet or operating system programs and document files such as windows .doc (Microsoft Word) files that contain macros.
  • Infect the information stored on disks by attaching to special programs in areas called boot records and master boot records.
  • Corrupt files and data.
  • Wipe system BIOS settings requiring a trip to the repair shop.

Viruses cannot:

  • Damage hardware, such as keyboards or monitors, although strange behaviour, such as screen distortion or characters not appearing when typed, may occur. If this happens, a virus has affected the programs that control the display or keyboard.
  • Damage your disks physically.
  • Infect write-protected disks.

Note:

Your computer can be infected when you boot from an infected disk, reboot with an infected floppy disk left in the drive, or run an infected program. The virus spreads when you share the disk or infected program or log on to a network.

 

alt.comp.virus.faq

The following information has been excerpted with permission from alt.comp.virus.faq and is available in full at:
http://www.sherpasoft.org.uk/acvFAQ/.

(3) What is a virus (and what are trojans and worms)?

A (computer) virus is a program (a block of executable code), which attaches itself to, overwrites or otherwise replaces another program in order to reproduce itself without the knowledge of the PC user. It may damage or corrupt data, change data, or degrade the performance.

Many viruses are comparatively harmless, and may be present for years with no noticeable effect; some, however, may cause random damage to data files (sometimes insidiously, over a long period) or attempt to destroy files and disks. Others cause unintended damage. Even benign viruses (apparently non-destructive viruses) cause significant damage by occupying disk space and/or main memory, by using up CPU processing time, and by the time and expense wasted in detecting and removing them.

A Trojan Horse is a program intended to perform some covert and usually malicious act, which the victim did not expect or want. It differs from a destructive virus in that it doesn't reproduce (though this distinction is by no means universally accepted).

A dropper is a program which installs a virus or trojan, often covertly.

A worm is a program which spreads (usually) over network connections. Unlike a virus, it does not (usually) attach itself to a host program. In practice, worms are not normally associated with personal computer systems. There is an excellent and considerably longer definition in the Mk. 2 version of the Virus-L FAQ.

A logic bomb launches an attack when a designated condition is met, such as at a given date or when a specific function occurs on the computer. As opposed to viruses, logic bombs don't self-replicate.

(The following is a slightly academic diversion)

A lot of bandwidth is spent on precise definitions of some of the terms above. I have Fridrik Skulason's permission to include the following definition of a virus, which I like because it demonstrates most of the relevant issues.

#1 A virus is a program that is able to replicate -- that is, create (possibly modified) copies of itself.

#2 The replication is intentional, not just a side effect.

#3 At least some of the replicants are also viruses, by this definition.

#4 A virus has to attach itself to a host, in the sense that execution of the host implies execution of the virus.

#1 is the main definition, which distinguishes between viruses and trojans and other non-replicating malware.

#2 is necessary to exclude for example a disk-copying program copying a disk, which contains a copy of itself.

#3 is necessary to exclude "intended" not-quite-viruses.

#4 is necessary to exclude "worms," but at the same time it has to be broad enough to include companion viruses and .DOC viruses.

(4) How do viruses work?

A file virus attaches itself to a file (but see the section below or the comp.virus FAQ on the subject of companion viruses), usually an executable application (e.g., a word processing program or a DOS program). In general, file viruses don't infect data files. However, data files can contain embedded executable code such as macros, which may be used by virus or trojan writers. Recent versions of Microsoft Word are particularly vulnerable to this kind of threat. Text files such as batch files, postscript files and source code, which contain commands that can be compiled or interpreted by another program, are potential targets for malware (malicious software), though such malware is not at present common.

Boot sector viruses alter the program that is in the first sector (boot sector) of every DOS-formatted disk. Generally, a boot sector infector executes its own code (which usually infects the boot sector or partition sector of the hard disk), then continues the PC bootup (start-up) process. In most cases, all write-enabled floppies used on that PC from then on would become infected.

Multipartite viruses have some of the features of both the above types of virus. Typically, when an infected file is executed, it infects the hard disk boot sector or partition sector, and thus infects subsequent floppies used or formatted on the target system.

Macro viruses typically infect global settings files such as Word templates so that subsequently edited documents are contaminated with the infective macros.

The following virus types are more fully defined in the comp.virus FAQs (see preamble):

  • STEALTH VIRUSES - viruses that go to some length to conceal their presence from programs, which might notice.


    •
  • OLYMORPHIC VIRUSES - viruses that cannot be detected by searching for a simple, single sequence of bytes in a possibly infected file, since they change with every replication.


    •
  • COMPANION VIRUSES - viruses that spread via a file which runs instead of the file the user intended to run, and then runs the original file. For instance, the file MYAPP.EXE might be "infected" by creating a file called MYAPP.COM. Because of the way DOS works, when the user types MYAPP at the C> prompt, MYAPP.COM is run instead of MYAPP.EXE. MYAPP.COM runs its infective routine, then quietly executes MYAPP.EXE. NB: this is not the only type of companion (or "spawning") virus.


    •
  • ARMOURED VIRUSES - viruses that are specifically written to make it difficult for an antivirus researcher to find out how they work and what they do.

(5) How do viruses spread?

A computer is infected with a boot sector virus (or partition sector virus) if it is (re-)booted (usually by accident) from an infected floppy disk in drive A. Boot Sector/MBR infectors are the most commonly found viruses, and cannot normally spread across a network. These (normally) spread by accident via floppy disks, which may come from virtually any source: unsolicited demonstration disks, brand new software (even from reputable sources), disks used on your computer by salesmen or engineers, new hardware, or repaired hardware.

A file virus infects other files when the program to which it is attached is run, and so can spread across a network (often very quickly). They may be spread from the same sources as boot sector viruses, but also from sources such as Internet FTP sites and bulletin boards. (This applies also to Trojan Horses.)

A multipartite virus infects boot sectors and files. Often, an infected file is used to infect the boot sector: thus, this is one case where a boot sector infector could spread across a network.

(6) How can I avoid infection?

There is no way to guarantee that you will avoid infection. However, the potential damage can be minimized by taking the following precautions:

  • Make sure you have a clean boot disk -- test with whatever (up-to-date!) antivirus software you can get hold of and make sure it is (and stays) write-protected. Boot from it and make a couple of copies.


    •
  • Use reputable, up-to-date and properly installed antivirus software regularly (see below). If you use a shareware package for which payment and/or registration is required, do it. Not only does it encourage the writer and make you feel virtuous, it means you can legitimately ask for technical support in a crisis.


    •
  • Do some reading (see below). If you're a home user, you may well get an infection sooner or later. If you're a business user, it'll be sooner. Either way you'll benefit from a little background. If you're a business user you (or your enterprise) need a policy.


    •
  • Don't rely solely on newsgroups like this to get you out of trouble: it may be a while before you get a response (especially from a moderated group like comp.virus), and the first response you act upon may not offer the most appropriate advice for your particular problem.


    •
  • If you use a shareware/freeware package, make sure you have hard copy of the documentation before your system falls apart!


    •
  • Always run a memory-resident scanner to monitor disk access and executable files before they're run.


    •
  • If you run Windows, a reputable antivirus package which includes DOS and Windows components is likely to offer better protection than a DOS-only package. If you run Windows 95, you need a proper Win95 32-bit package for full protection.


    •
  • Make sure your home system is protected, as well as your work PC.


  • Check all new systems and all floppy disks when they're brought in (from any source) with a good virus-scanning program.


    •
  • Acquire software from reputable sources: secondhand software is frequently unchecked and sometimes infected. Bear in mind that shrinkwrapped software isn't necessarily unused. In any case, reputable firms have shipped viruses unknowingly.


    •
  • Once formatted, keep floppies write-disabled except when you need to write a file to them; then write-disable them again.


    •
  • Make sure your data is backed up regularly and that the procedures for restoring archived data work properly.


    •
  • Scan preformatted diskettes before use.


    •
  • Get to know all the components of the package you're using and consider which bits to use and how best to use them. Different packages have different strengths; diversifying and mixing and matching can, if carefully and properly done, be a good antivirus strategy, especially in a corporate environment.


    •
  • If your computer can be prevented with a CMOS setting from booting with a disk in drive A, do it (and re-enable floppy booting temporarily when you need to clean-boot).

CMOS settings

Some CMOSes come with special antivirus settings. These are normally vague about what they do but typically they write-protect your hard disk's boot sector and partition sector (MBR). This can sometimes be used against boot sector viruses but may produce false alarms when you upgrade your operating system.

One sensible setting to make (if your CMOS allows) is to adjust the boot sequence of your PC. Changing the default boot-up drive order from A: C: to C: will mean that the PC will attempt to boot from drive C: even if a floppy disk has been left in drive A: This way boot sector virus infection can often be avoided. Remember, however, to set your CMOS back temporarily if you ever do want to boot clean from floppy (for example, when running a cryptographical checksummer after a cold boot).

SCSI controllers have their own BIOS. On some systems, this will override the boot sequence set in CMOS. It's always a good idea to check with a (known clean) bootable floppy after you've disabled floppy booting that it really is disabled. I don't think it's necessary to use the Rosenthal Simulator to do this, thank you, Doren.

(7) How does antivirus software work?

  • Scanner (conventional scanner, command-line scanner, on-demand scanner) - a program that looks for known viruses by checking for recognizable patterns ("scan strings," "search strings," "signatures" [a term best avoided for its ambiguity]).


    •
  • TSR scanner - a TSR (memory-resident program) that checks for viruses while other programs are running. It may have some of the characteristics of a monitor and/or behaviour blocker.


    •
  • VxD scanner - a scanner that works under Windows or perhaps under Win 95, or both), which checks for viruses continuously while you work.


    •
  • Heuristic scanners - scanners that inspect executable files for code using operations that might denote an unknown virus.


    •
  • Monitor/behaviour blocker - a TSR that monitors programs while they are running for behaviour which might denote a virus.


    •
  • Change detectors/checksummers/integrity checkers - programs that keep a database of the characteristics of all executable files on a system and check for changes which might signify an attack by an unknown virus.


    •
  • Cryptographic checksummers use an encryption algorithm to lessen the risk of being fooled by a virus which targets that particular checksummer.

back to Technology Content Index

 

Return to DAWN Ontario

Events Calendar
events, conferences etc

Featured News & Alerts

What's New
additions to the site indexed daily

Contact Us

Sign our Guestbook!


Website created & maintained
courtesy of Barbara Anello

DAWN Ontario
Box 1138 North Bay, ON P1B 8K4